SQL Injections in reports.php
jcarabantes opened this issue · comments
Hi!
There are multiple SQL Injections in the same file: reports.php because some of the parameters are not sanitized.
Example GET Request
/reports.php?view=reports&project_id=&priority_id=&start_at=&finish_at=&status_id=-2%20or%20true--%20-&kind_id=1
Vulnerable parameters:
- kind_id
- status_id
- project_id
- priority_id
The problem is in $sql variable when those parameters are concatenated without previous sanitation:
...
$sql = "select * from ticket where ";
if($_GET["status_id"]!=""){
$sql .= " status_id = ".$_GET["status_id"];
}
if($_GET["kind_id"]!=""){
if($_GET["status_id"]!=""){
$sql .= " and ";
}
$sql .= " kind_id = ".$_GET["kind_id"];
}
if($_GET["project_id"]!=""){
if($_GET["status_id"]!=""||$_GET["kind_id"]!=""){
$sql .= " and ";
}
$sql .= " project_id = ".$_GET["project_id"];
}
if($_GET["priority_id"]!=""){
if($_GET["status_id"]!=""||$_GET["project_id"]!=""||$_GET["kind_id"]!=""){
$sql .= " and ";
}
$sql .= " priority_id = ".$_GET["priority_id"];
}
...
The best way to solve this kind of issues would be the usage of Prepare Statements (PDO) which will require some code modifications (implementing an ORM for example).
PoC show version/user/dbname
